1. Technical Field
The present disclosure relates to key management technology used in encryption processing for safely transmitting and receiving messages (frames) over an onboard network.
2. Description of the Related Art
In recent years, a great number of electronic control units (ECU) have been placed in systems in automobiles. A network connecting these ECUs is referred to as an onboard network. Many standards exist for onboard networks. The most mainstream of these is a standard called Controller Area Network (CAN), that is stipulated in ISO11898-1 (see CAN Specification 2.0 Part A, [online], CAN in Automation (CiA), [searched Nov. 14, 2014], Internet (URL: http://www.can-cia.org/fileadmin/cia/specifications/CAN20A.pdf)).
A CAN is configured using two busses, and each ECU connected to the buses is called a node. Each node connected to a bus transmits/receives messages called frames. No identifiers indicating the transmission destination or transmission source exist in CAN, with the transmitting node attaching an ID (called CAN-ID) to each frame and transmitting (i.e., sending out signals to the bus), and the receiving nodes only receiving frames of a predetermined ID (i.e., reading signals from the bus). The Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) format is employed, so when multiple nodes transmit at the same time, arbitration by CAN-ID is performed, with frames having a smaller message ID value being transmitted with higher priority.
Now, CAN does not have a security function assuming a case where unauthorized frames are transmitted, so there is a possibility that the vehicle might be unauthorizedly controlled by an unauthorized node being connected to the bus in the onboard network and the unauthorized frame unauthorizedly transmitting a frame. There is known a technology in CAN where frames transmitted by authorized ECUs are identified by adding a message authentication code (MAC) to the data field and transmitting, in order to prevent control by such unauthorized frames (see Japanese Unexamined Patent Application Publication No. 2013-98719). A temporary session key is preferably periodically generated and used in generating MACs, to improve resistance against brute-force attacks against MACs to try to identify the key to generate MACs.
Now, in a case where a particular ECU handles generating of a session key, the session key can be safely distributed (transmitted) among ECUs if the session keys are encrypted using a key shared among authorized ECUs beforehand (called a “shared key”). However, if leakage of the shared key cannot be appropriately detected, this enables an unauthorized ECU to receive the session key and generate MACs.